File name:

setup-FIXED-PROPER.exe

Full analysis: https://app.any.run/tasks/ecb7c1da-ce06-4619-98bd-2b901fee807c
Verdict: Malicious activity
Analysis date: May 19, 2024, 15:26:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3E449ADDE2231ACF989192F1190790EB

SHA1:

9159E131961BBEF78639145AAF62E9398C69692E

SHA256:

308F1E92D7BCBDA108EB52F4B4BE525CBB791076CDE0E299546744FE6C4CA6E1

SSDEEP:

98304:9d/SMPUQ+/uMLYOCFpAOLX46e/h//oShmxel+YxjyqcQmJQoUa2X8zJneB+peJN2:BRgmItQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup-FIXED-PROPER.exe (PID: 4084)
      • setup-FIXED-PROPER.tmp (PID: 1024)
      • unins000.exe (PID: 588)
      • _iu14D2N.tmp (PID: 1664)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup-FIXED-PROPER.exe (PID: 4084)
      • setup-FIXED-PROPER.tmp (PID: 1024)
      • unins000.exe (PID: 588)
      • _iu14D2N.tmp (PID: 1664)

    • Reads the Windows owner or organization settings

      • setup-FIXED-PROPER.tmp (PID: 1024)
      • _iu14D2N.tmp (PID: 1664)

    • Process drops legitimate windows executable

      • setup-FIXED-PROPER.tmp (PID: 1024)
      • _iu14D2N.tmp (PID: 1664)

    • Starts itself from another location

      • unins000.exe (PID: 588)

    • Starts application with an unusual extension

      • unins000.exe (PID: 588)

    • Reads the date of Windows installation

      • _iu14D2N.tmp (PID: 1664)

  • INFO

    • Checks supported languages

      • setup-FIXED-PROPER.exe (PID: 4084)
      • setup-FIXED-PROPER.tmp (PID: 1024)
      • FlushFileCache.exe (PID: 524)
      • unins000.exe (PID: 588)
      • _iu14D2N.tmp (PID: 1664)

    • Create files in a temporary directory

      • setup-FIXED-PROPER.exe (PID: 4084)
      • setup-FIXED-PROPER.tmp (PID: 1024)
      • unins000.exe (PID: 588)
      • _iu14D2N.tmp (PID: 1664)

    • Reads the computer name

      • setup-FIXED-PROPER.tmp (PID: 1024)
      • FlushFileCache.exe (PID: 524)
      • _iu14D2N.tmp (PID: 1664)

    • Creates a software uninstall entry

      • setup-FIXED-PROPER.tmp (PID: 1024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:02 05:04:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x16478
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Ghost of Tsushima DC Setup
FileVersion:
LegalCopyright: FitGirl
ProductName: Ghost of Tsushima DC
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start setup-fixed-proper.exe setup-fixed-proper.tmp flushfilecache.exe no specs unins000.exe _iu14d2n.tmp setup-fixed-proper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\FlushFileCache.exe" C:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\FlushFileCache.exesetup-FIXED-PROPER.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-4ukca.tmp\flushfilecache.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
588"C:\Games\Ghost of Tsushima DC\unins000.exe" /VERYSILENTC:\Games\Ghost of Tsushima DC\unins000.exe
setup-FIXED-PROPER.tmp
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\games\ghost of tsushima dc\unins000.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1024"C:\Users\admin\AppData\Local\Temp\is-OGG3M.tmp\setup-FIXED-PROPER.tmp" /SL5="$30138,5328406,140800,C:\Users\admin\AppData\Local\Temp\setup-FIXED-PROPER.exe" C:\Users\admin\AppData\Local\Temp\is-OGG3M.tmp\setup-FIXED-PROPER.tmp
setup-FIXED-PROPER.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ogg3m.tmp\setup-fixed-proper.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1664"C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Games\Ghost of Tsushima DC\unins000.exe" /FIRSTPHASEWND=$301C4 /VERYSILENTC:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp
unins000.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_iu14d2n.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3980"C:\Users\admin\AppData\Local\Temp\setup-FIXED-PROPER.exe" C:\Users\admin\AppData\Local\Temp\setup-FIXED-PROPER.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Ghost of Tsushima DC Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\setup-fixed-proper.exe
c:\windows\system32\ntdll.dll
4084"C:\Users\admin\AppData\Local\Temp\setup-FIXED-PROPER.exe" C:\Users\admin\AppData\Local\Temp\setup-FIXED-PROPER.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Ghost of Tsushima DC Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\setup-fixed-proper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
2 428
Read events
2 231
Write events
186
Delete events
11

Modification events

(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
00040000CE6F97E900AADA01
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
B5D87A5631D57603C559E9147AA59093343784A678DA2D6CEBC90FB3DB875380
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Games\Ghost of Tsushima DC\_Redist\dxwebsetup.exe
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
B179651406337A531A8FEDDA7594F60A427167022A6660D2826EB2B13ADB908A
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Games\Ghost of Tsushima DC\GhostOfTsushima.exe
Value:
RUNASADMIN
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Games\Ghost of Tsushima DC\GhostOfTsushima.exe
Value:
RUNASADMIN
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost of Tsushima DC_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.1.ee2 (u)
(PID) Process:(1024) setup-FIXED-PROPER.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost of Tsushima DC_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Games\Ghost of Tsushima DC
Executable files
47
Suspicious files
3
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\cls-lollypop_x86.exeexecutable
MD5:3527C6739C46F4EE1CFB6B48E1407883
SHA256:724C6E07180E321298B4EA4405C3F7536C524D9826D24F5D6FC50BCB0EF8F723
4084setup-FIXED-PROPER.exeC:\Users\admin\AppData\Local\Temp\is-OGG3M.tmp\setup-FIXED-PROPER.tmpexecutable
MD5:AE9890548F2FCAB56A4E9AE446F55B3F
SHA256:09AF8004B85478E1ECA09FA4CB5E3081DDDCB2F68A353F3EF6849D92BE47B449
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\cls-srep_x64.exeexecutable
MD5:6AE2ADD85EC2B642D865FFAAA391D5BB
SHA256:ED8A485B9984997306EA6B5C6D98B5026A5B7903C1DF4C229BF93BF113C78EE9
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\BASS.dllexecutable
MD5:8005750EC63EB5292884AD6183AE2E77
SHA256:DF9F56C4DA160101567B0526845228EE481EE7D2F98391696FA27FE41F8ACF15
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\cls-magic2.dllexecutable
MD5:9E1E200472D66356A4AE5D597B01DABC
SHA256:87DF573AC240E09EA4941E169FB2D15D5316A1B0E053446B8144E04B1154F061
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\ISDone.dllexecutable
MD5:63DC27B7BC65243EFAA59A9797A140BA
SHA256:C652B4B564B3C85C399155CBB45C6FB5A9F56F074E566BFD20F01DA6E0412C74
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\wintb.dllexecutable
MD5:9436DF49E08C83BAD8DDC906478C2041
SHA256:1910537AA95684142250CA0C7426A0B5F082E39F6FBDBDBA649AECB179541435
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\cls-srep_x86.exeexecutable
MD5:FC7DD2CA9F47D64EDD3B2061CD8DB1B3
SHA256:4004BA624F8CE381C61C82ABA26E246D93E833357930C17CD4B02058EA31FAD4
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\cls-lollypop.dllexecutable
MD5:0EF04BC15FD1B28975AFF2951B857F03
SHA256:F84677643D9977AA1E8A4AA8C85A12665D29A4E8292485A0B4DF846DD161F824
1024setup-FIXED-PROPER.tmpC:\Users\admin\AppData\Local\Temp\is-4UKCA.tmp\cls-lollypop_x64.exeexecutable
MD5:5B848A24126F54A2C3C7B7393B536D33
SHA256:2D32C4F4522BC62F63C7949313434F6CA0EAA6B65B44EE5AA8B6B877988B1AA8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup-FIXED-PROPER.exe